Finding A Match

Law enforcement agencies turn to social media and facial recognition software to ID crime suspects.

Federal detectives have reason to believe that a man pictured in an online dating profile under a pseudonym carjacked a young mother in Florida, killing her and taking her child.

But they cannot identify the man. They have no fingerprints to run against the FBI's national biometric database because he was wearing gloves. The man's Web page, however, shows photos of his face from many angles-images that can be cross-checked with mug shots in the FBI's database to find potential matching criminal records.

Scouring photos online for contextual clues can be much faster and more accurate than bringing in witnesses to pick the right suspect out of a lineup. Florida is one of several states slated to debut a nationwide facial recognition system in January that can reveal the names of unknown suspects this way.

But another federal enforcement agency is raising privacy concerns about that technique. Face searching is becoming popular in the commercial sector as accuracy improves, cost of the technology decreases and the number of photos uploaded to the Internet skyrockets. In government, authorities appreciate the ability to quickly identify the missing link in a case by finding photo matches online. But the Federal Trade Commission, Congress and academics point to the risk of creating a world where anyone-the good guys and the bad guys-can run a background check on unsuspecting strangers on the street.

"No one has the answer to the trade-off on the good things and the creepy things," says Alessandro Acquisti, an information systems and public policy professor at Carnegie Mellon University.

In a recent study he demonstrated the ability to identify passersby and access their personal information by using webcams, social media profiles and off-the-shelf facial recognition software. The technology matched up faces captured by webcam with images on the social website Facebook. This technique also can deduce the real names of people pictured under aliases on online dating sites.

With digital cameras ubiquitous on smartphones, photos taken surreptitiously could be cross-referenced with images in online communities to decipher someone's name, the last coffee shop visited or other personal information disclosed on social networks. Perhaps more disconcerting, Acquisti's research shows that the biographical information gleaned from using facial recognition on social sites combined with computerized pattern analysis, or data mining, could point to a person's Social Security number.

"No more than 15 years from now, basically there will be a future where the technology is so common, facial images are so widespread, that anyone can do facial recognition just with the mobile devices of the time," he says.

Already, Facebook's Tag Suggestions tool uses facial recognition to automatically suggest names of friends who appear in photos that members upload. The desktop version of Google's Picasa photo software and Apple's iPhoto organizer also use the technology for cataloging pictures that appear to show the same people.

In response to worries about the invasiveness of face searching, FTC hosted a workshop in December 2011 for representatives from consumer groups, privacy organizations, businesses and academia to learn more about the privacy and security ramifications.

In October 2011, Sen. John D. "Jay" Rockefeller IV, D-W.Va., chairman of the Commerce, Science and Transportation Committee, asked the commission for help in updating privacy laws to address abuses of facial recognition. "Following the workshop, we will report back to Chairman Rockefeller and his committee on our conclusions and any recommendations," FTC spokeswoman Claudia B. Farrell said upon receiving a written request from the senator.

Rockefeller wrote that, although current commercial applications search for names only in a user's "contacts" list, other offerings could one day break that boundary. He noted a Google prototype that he said would have allowed a user to scan the Internet for the identity of someone appearing in a photo. The search firm never introduced the feature, due to privacy concerns, Rockefeller said.

Facebook, Apple and Google declined to comment on regulating applications of facial recognition or its potential dangers.

Officials at Facebook have said that individuals are in control of the information they choose to share on their profile pages. Users have the freedom to decide whether to upload pictures of themselves and to delete their entire accounts. The site does not allow facial searching. Facebook also has systems in place to prevent outsiders from "scraping," or repurposing, information that is posted, according to officials.

They add that the root of the problem highlighted by Acquisti's research is the federal government's outdated approach to assigning Social Security numbers. Unfortunately, officials say, any documents indicating someone's age and hometown-wedding announcements, alumni publications and online résumés-can be used to derive portions of Social Security numbers for individuals born after 1988.

Aside from questions about commercial facial search applications, there are growing fears about government applications. Immigration rights groups and civil liberties advocates, who already are worried about federal wiretapping and fingerprinting of noncitizens, have voiced their concerns about the potential to use a mammoth photo gallery to track Americans.

Law enforcement specialists, however, note that the government likely has more restrictions on collecting images than most companies. First off, the FBI's program, called the Next-Generation Identification system, is not synched with surveillance cameras, says Thomas E. Bush III, who helped develop NGI's requirements when he served as an assistant director at the bureau between 2005 and 2009.

"NGI is not going to be streaming every video camera into the FBI," he says. "Just like we don't pull all the fingerprints that are out there." Authorities who violate laws governing the inspection of fingerprints, which also apply to facial images, face dismissal, Bush says.

"This doesn't change or create any new exchanges of data," says Nick Megna, a unit chief at the FBI's criminal justice information services division. "It only provides law enforcement with a new service to determine what photos are of interest to them." The FBI has published a privacy impact assessment summarizing the controls in place to ensure compliance with federal regulations. An audit trail shows who has accessed the system and for what purpose, he says.

Law enforcement officials perhaps one day could compare archived images from surveillance video and camera phones with NGI's data, but only if there is a reason to suspect someone was involved in a crime, Bush says. "Traffic cameras are not constantly feeding into our system," he explains. For example, authorities who believe a bombing suspect may have been driving along a certain road could query recorded footage for a license plate-after the fact, not in real time-to help identify the person.

"If I can recognize the bad guy quicker, it may save my life as a police officer," Bush adds. "If I can find a missing child quicker through the use of facial recognition or the guy who snatched the child-it's just another tool in the homeland security toolbox." In addition to catching crooks, facial recognition could exonerate the wrongly accused, he says. Applying the technique to images captured at the time of a crime and away from the crime scene could prove a person's alibi.

Acquisti tried but could not offer suggestions to prevent exploitation of the technology. "Every time I think about a potential solution, I realize there are many unintended consequences," he says, rattling off a list of downsides.

If the government banned further research into facial searching, beneficial applications could go unnoticed. Creating a "do not identify me" list that would block facial searching, similar to the national Do Not Call registry, could prove difficult. The current push to build a "do not track me" system for websites already has run into roadblocks because of economic and enforcement challenges. You could try deploying programs that blur faces online, but people could take issue with having their website posts obscured.

"It's almost impossible to regulate the gathering of the data," Acquisti says. "Each of these solutions has complications. I don't see any silver bullet."

Still, Bush says marketers probably know more about citizens' private activities than the government does. "You've got much more information that is maintained about you by these data aggregators," he says. Even the grocery store has intelligence on what you like to purchase, Bush adds. And citizens sometimes invade their own privacy by divulging too much information online.

"The social media. People put too much stuff in there," Bush says. "I can just about follow you daily with what people put on Twitter. If I had some ill will toward you, I could find you pretty damn quick."

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although GovExec.com does not monitor comments posted to this site (and
has no obligation to), it reserves the right to delete, edit, or move any material that it deems
to be in violation of this rule.

Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.